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Abstract 

Strand  space  analysis  [13,  12]  is  a  method  for  stating 
and  proving  correctness  properties  for  cryptographic  proto¬ 
cols.  In  this  paper  we  apply  the  same  method  to  the  related 
problem  of  mixed  protocols,  and  show  that  a  protocol  can 
remain  correct  even  when  used  in  combination  with  a  range 
of  other  protocols. 

We  illustrate  the  method  with  the  familiar  Otway- 
Rees  [10,  1  ]  protocol.  We  identify  a  simple  and  easily  ver¬ 
ified  characteristic  of  protocols,  and  show  that  the  Otway- 
Rees  protocol  remains  correct  even  when  used  in  combina¬ 
tion  with  other  protocols  that  have  this  characteristic. 

We  also  illustrate  this  method  on  the  Neuman- 
Stubblebine  protocol  [9],  This  protocol  has  two  parts,  an 
authentication  protocol  (I)  in  which  a  key  distribution  cen¬ 
ter  creates  and  distributes  a  Kerberos-like  key,  and  a  re¬ 
authentication  protocol  (II)  in  which  a  client  resubmits  a 
ticket  containing  that  key.  The  re-authentication  protocol  II 
is  hiown  to  be  flawed  [2 ].  We  show  that  in  the  presence 
of  protocol  II,  there  are  also  attacks  against  protocol  I.  We 
then  define  a  variant  of  protocol  II,  and  prove  an  authenti¬ 
cation  property  of  I  that  holds  even  in  combination  with  the 
modified  II. 


1  Introduction 

In  [13,  12,  14],  we  proposed  a  general  model  for  encryp¬ 
tion  protocols  and  used  this  model  to  study  specific  proto¬ 
cols.  In  those  instances,  we  assumed  that  the  protocols  were 
being  run  in  a  “pure”  environment:  one  in  which  the  proto¬ 
col  is  used  in  isolation.  In  such  an  environment,  all  activity 
would  either  be  penetrator  activity  or  the  activity  of  a  legit¬ 
imate  participant  of  that  protocol. 

In  practice,  however,  no  environment  is  “pure.”  Many 
different  protocols  may  be  in  use  at  the  same  time,  by  the 
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same  parties,  using  the  same  communication  channels.  As 
noted  in  [5],  there  are  at  least  three  reasons  that  different 
protocols  might  use  the  same  secret  information: 

•  Certification  is  costly,  so  users  will  want  to  use  as  few 
certified  keys  as  possible; 

•  Widespread  use  of  cryptographic  APIs  will  lead  to 
multiple  uses  of  key  formats,  and  perhaps  the  keys 
themselves;  and 

•  Smart  cards  have  limited  capacities,  so  cards  that  are 
used  for  multiple  protocols  might  use  the  same  key  ma¬ 
terial  for  more  than  one  protocol. 

Re-use  of  key  material  is  also  a  consideration  in  proto¬ 
cols  with  multiple  parts,  such  as  the  Kerberos  [6]  and  the 
Neuman-Stubblebine  [9]  protocols.  One  sub-protocol  may 
be  used  to  retrieve  a  ticket  from  a  key  distribution  center, 
while  a  second  sub-protocol  is  used  to  re -present  that  same 
ticket  to  a  security-aware  server.  In  such  as  case,  the  same 
secret  key  is  used  in  two  different  ways. 

In  this  paper  we  study  the  case  of  mixed  protocols,  where 
principals  use  secret  material  in  more  than  one  protocol.  In 
such  cases  the  two  protocols  can  potentially  interact,  form¬ 
ing  vulerabilities  not  present  in  either  protocol  alone.  We 
apply  the  strand  space  model  to  such  cases,  and  show  that 
the  same  concepts  and  techniques  as  used  to  analyze  the 
pure  environment  still  apply  in  that  of  the  mixed. 

There  have  been  previous  attempts  to  reason  rigorously 
about  protocol  interactions.  For  instance.  Meadows  [8] 
studies  the  Internet  Key  Exchange  protocol,  emphasizing 
the  potential  interactions  among  its  specific  sub-protocols. 
Gong  and  Syverson  [3]  define  a  (fairly  restrictive)  class  of 
protocols  such  that  any  members  of  this  class  may  be  freely 
mixed  without  security  failures. 

However,  our  approach  is  somewhat  different.  We  study 
a  given  protocol,  which  we  refer  to  as  the  primary  protocol, 
and  identify  some  loosely  syntactic  conditions.  We  then 
show  that  any  secondary  protocol  that  meets  these  syntactic 
conditions  may  then  freely  mix  with  the  primary  protocol 
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without  undermining  its  secrecy  and  authentication  proper¬ 
ties.  As  we  shall  see,  this  sort  of  result  is  quite  natural  given 
the  strand  space  proof  methods.  These  results  fall  out  from 
a  careful  examination  of  the  proofs  that  the  primary  proto¬ 
col  meets  its  security  goals  in  isolation. 

In  the  remainder  of  this  paper,  we  start  (Section  2)  by 
providing  a  resume  of  the  strand  space  theory.  We  then  ex¬ 
pand  the  theory  to  accomodate  the  case  of  mixed  protocols 
(Section  3).  We  then  (Section  4)  revisit  to  a  familiar  exam¬ 
ple,  the  Otway-Rees  protocol,  which  we  first  studied  in  [12]. 
We  reproduce  some  results  from  [12]  in  the  new  context  of 
a  mixed  environment,  and  obtain  a  general  contraint  which 
must  be  met  by  the  other  protocols  in  the  environment  for 
Otway-Rees  to  maintain  its  correctness  properties. 

In  Section  5,  we  turn  to  the  Neuman-Stubblebine  proto¬ 
col  [9],  intended  as  an  example  of  a  protocol  with  multiple 
parts.  The  first  part  of  the  Neuman-Stubblebine  protocol, 
called  the  authentication  part,  distributes  a  secret  key  and 
a  Keberos-like  ticket  to  a  client.  In  the  second  part  of  the 
protocol,  called  the  re-authentication  part,  the  client  uses 
that  key  and  ticket  to  authenticate  itself  to  a  security-aware 
server. 

We  perform  the  same  analysis  as  in  Section  4  on  the  au¬ 
thentication  part  of  the  Neuman-Stubblebine  protocol,  and 
again  obtain  a  general  constraint  on  other  protocols  in  the 
environment.  We  show  that  the  re-authentication  does  not 
meet  this  constraint,  and  demonstrate  one  vulnerability  that 
results.  We  then  modify  the  re-authentication  part  and  show 
that  it  meets  the  general  constraint,  and  so  maintains  the 
security  of  the  authentication  part. 

We  end  with  a  brief  discussion  (Section  6). 

2  Strand  Spaces 

The  following  is  a  brief  overview  of  the  strand  space 
model  as  developed  in  [13],  [12],  and  [14].  Although  some 
theorems  and  concepts  from  those  two  papers  are  repro¬ 
duced  here,  the  proofs  and  proof  techniques  are  not.  The 
reader  is  referred  to  those  two  documents  for  a  more  com¬ 
plete  and  formal  exposition.  Those  already  familiar  with  the 
strand  space  method  may  safely  skip  this  section. 

In  brief,  we  introduce  a  structure  called  a  strand,  which 
represents  both  the  abilities  of  the  penetrator  and  the  local 
experience  of  a  legitimate  principal.  We  then  define  a  struc¬ 
ture  on  strands,  called  a  bundle,  combines  these  local  views 
to  form  a  global  view.  We  then  define  the  penetrator,  and 
show  that  the  abilities  of  the  penetrator  obey  strict  bounds. 
We  end  with  a  few  words  on  how  these  bounds  can  be  used 
to  prove  correctness  conditions. 

More  formally: 

Definition  2.1  Let  A  be  the  set  of  messages  that  can  be  sent 
between  principals.  We  will  call  elements  of  A  terms. 


A  strand  is  a  sequence  of  message  transmissions  and  re¬ 
ceptions,  where  transmission  of  a  term  a  is  represented  as 
+a  and  reception  of  term  a  is  represented  as  —a.  We  will 
often  write  a  strand  as  (±Oi,  ±<22,  ■  ■  •  ±  an). 

A  node  is  any  is  any  particular  transmission  or  reception 
on  a  particular  strand.  We  often  write  (s,  1)  for  the  first 
node  on  a  strand  s,  { s ,  2)  for  the  second,  and  so  on. 

In  the  case  of  a  legitimate  participant,  the  strand  repre¬ 
sents  those  messages  that  the  participant  would  send  or  re¬ 
ceive  as  part  of  one  particular  run  of  the  protocol.  In  the  case 
of  the  penetrator,  the  strands  represent  atomic  deductions 
from  which  more  complex  actions  can  be  formed.  Note  that 
principals  are  represented  only  what  they  say  and  hear;  the 
penetrator,  however,  can  “say”  anything  that  it  can  deduce. 

Because  strands  are  ordered  sequences  of  message  trans¬ 
missions  or  receptions,  it  is  meaningful  to  speak  of  when 
something  is  first  said: 

Definition  2.2  Let  I  be  a  set  of  terms.  Then  a  node  n  is  an 
entry  point  to  I  if 

1.  the  sign  of  n  is  positive  (i.e.  a  message  transmission), 

2.  the  term  of  n  is  in  I,  and 

3.  the  term  of  no  previous  node  on  the  strand  is  in  I. 

In  other  words,  entry  points  are  those  nodes  where  the 
strand  “enters”  the  set,  i.e.  transmits  something  in  the  set 
without  having  previously  transmitted  or  receiving  anything 
in  the  set.  Entry  points  are  useful  for  discussing  the  origins 
of  messages. 

We  use  a  similar  concept  to  discuss  the  first  time  a  partic¬ 
ular  value  is  sent  out  as  part  of  a  larger  message.  To  do  so, 
assume  that  the  subterm  relation  is  defined  on  A:  t\  C  f2  if 
t\  is  a  subterm  of  t2- 

Definition  2.3  A  term  originates  on  a  node  n  iff  n  is  an 
entry  point  to  the  set  I  =  {t1  :  t  C  t1}. 

We  impose  upon  strands  a  graph  structure  with  two  types 
of  edges:  =>•  and  — K  The  first  arrow  represents  immediate 
precedence  on  a  strand: 

Definition  2.4  Ifni  and  n^+i  are  consecutive  nodes  on  an 
strand,  we  write  rii  =>  n,;+ 1. 

The  other  edge  represents  inter-strand  communication  by 
transmission  of  terms.  When  one  strands  transmits  a  term, 
we  allow  another  strand  to  receive  that  same  term: 

Definition  2.5  If  a  node  n  1  =  +a  and  node  n2  =  —a,  then 
we  write  ni  ->  n2. 
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Figure  1.  A  Bundle 

A  strand  space ,  which  is  any  collection  of  strands,  can 
be  thought  of  as  an  ordered  graph  on  the  nodes  of  those 
strands(AO  formed  by  the  edges  — >  and  =>.  A  bundle  is  a 
meaningful  finite  subgraph  of  {M,  (— >  U  =>)).  By  “mean¬ 
ingful,”  we  mean  that  it  respects  the  laws  of  causality: 

•  Time  flows  in  only  one  direction  (the  arrows  of  the 
bundle  contain  no  loops),  and 

•  Causal  precedence  is  preserved.  In  other  words,  if  an 
event  occurs,  then  all  other  events  necessary  for  that 
occurrence  have  also  occurred.  (Bundles  are  closed 
backward  along  arrows). 

Definition  2.6  Let  C  C  (— >  U  =>)  be  a  set  of  edges,  and  let 
Me  be  the  set  of  nodes  incident  with  any  edge  in  C.  C  is  a 
bundle  if: 

1.  C  is  finite. 

2.  If  n 2  £  Me  and  termfn 2)  is  negative,  then  there  is  a 
unique  n\  £  C  such  that  n\  — »  n 2. 

3.  Ifri2  €  Me  and  n\  =>•  n 2  then  n\  =?■  ri2  €  C. 

4.  C  is  acyclic. 

(For  simplicy,  we  will  often  speak  of  a  node  being  in  C 
when  it  is  in  Me  )  Figure  1  illustrates  an  example  bundle. 

The  concept  of  a  bundle  is  an  important  one:  all  possi¬ 
ble  runs  of  a  protocol  can  be  represented  as  bundles,  and 
almost  all  correctness  properties  can  be  stated  as  properties 
of  bundles. 

Bundles  also  have  a  very  useful  property: 

Lemma  2.7  Let  C  be  a  set  of  edges,  and  let  Ac  be  the  tran¬ 
sitive,  reflexive  closure  of  C.  If  C  is  a  bundle  then  Ac  is  a 
partial  order,  i.e.  a  reflexive,  transitive,  antisymmetric  re¬ 
lation.  Then  every  non-empty  set  of  the  nodes  of  C  have 
fc-minimal  elements. 


This  is  also  important  to  our  model.  Almost  all  of  our 
reasoning  will  use  the  concept  of  Ac-minimal  elements: 
both  entry  points  and  origination  points  are  A  c -minimal  el¬ 
ements  for  sets  of  certain  forms.  Before  we  progress  further, 
however,  we  add  more  structure  to  A  and  develop  our  model 
of  the  penetrator. 

The  set  of  terms  A  is  assumed  to  be  freely  generated  from 
two  sets: 

•  T  C  A,  which  contains  texts  (the  atomic  messages), 
and 

•  K  C  A,  which  contains  keys  (and  is  disjoint  from  T), 

By  two  operations: 

•  encr  :  K  x  A  ->  A,  which  represents  encryption,  and 

•  join  :  A  x  A  -y  A,  which  represents  concatenation  of 
terms. 

We  also  define  injective  unary  operator  inv  :  K  — >  K,  which 
maps  each  member  of  a  public/private  key  pair  to  the  other, 
and  a  symmetric  key  to  itself.  We  will  follow  custom  and 
write  inv(iv)  as  iv-1,  encr(AT,  m)  as  {to}k-  and  join(a,  b) 
as  ab.  If  k  is  a  set  of  keys,  k-1  denotes  the  set  of  inverses 
of  elements  of  k. 

The  freeness  assumption  is  stronger  than  strictly  neces¬ 
sary;  we  assume  it  here  to  simply  exposition.  In  [12]  we 
develop  the  model  with  weaker  freeness  assumptions,  al¬ 
lowing  such  relations  as  associativity  of  join. 

We  define  the  subterm  relationship  C  so  that  for  K  £  K, 
K  c  {(j }  only  if  K  IZ  <J  already.  Defining  the  sub¬ 
term  relationship  in  this  way  reflects  an  assumption  about 
the  penetrator’s  capabilities:  that  keys  can  be  obtained  from 
ciphertext  only  if  they  are  embedded  in  the  text  that  was  en¬ 
crypted.  This  might  not  always  be  the  case — if,  for  instance, 
a  dictionary  attack  is  possible — but  it  is  the  assumption  we 
will  make  here. 

The  powers  that  are  available  to  the  penetrator  are  char¬ 
acterized  by  two  ingredients:  a  set  of  keys  known  initially 
to  the  penetrator,  and  a  set  of  penetrator  strands  that  allow 
the  penetrator  to  generate  new  messages. 

A  penetrator  set  consists  of  a  set  of  keys  Kp  which  con¬ 
tains  the  keys  initially  known  to  the  penetrator.  Typically 
it  would  contain:  all  public  keys;  all  private  keys  held  by 
the  penetrator  or  his  accomplices;  and  all  symmetric  keys 
Kpx ,  Kxp  initially  shared  between  the  penetrator  and  prin¬ 
cipals  playing  by  the  protocol  rules.  It  may  also  contain 
“lost  keys”  that  became  known  to  the  penetrator  previously. 

The  atomic  actions  available  to  the  penetrator  are  en¬ 
coded  in  a  set  of  penetrator  strands.  They  summarize  his 
ability  to  discard  messages,  generate  well  known  messages, 
piece  messages  together,  and  apply  cryptographic  opera¬ 
tions  using  keys  that  become  available  to  him.  A  protocol 


attack  typically  requires  several  of  these  atomic  actions  to 
be  used  in  combination. 

Definition  2.8  A  penetrator  strand  is  one  of  the  following: 
M.  Text  message:  (+f)  where  t  €  T 
F.  Flushing:  {— g ) 

T.  Tee:  {-g,  +g,  +g ) 

C.  Concatenation:  {—g,  —h.  +gh) 

S.  Separation  into  components:  (— gh ,  +g ,  +h) 

K.  Key:  { +K )  where  K  G  Kp. 

E.  Encryption:  ( —K ,  —h,  +{/i}k). 

D.  Decryption:  {— K~\  —  {h}ni  +h). 

Strands  that  are  not  penetrator  strands  are  regular  strands. 

(This  set  of  penetrator  strands  gives  the  penetrator  powers 
similar  to  those  in  other  approaches,  e.g.  [7, 11].)  By  explic¬ 
itly  listing  the  abilities  of  the  penetrator,  we  gain  an  impor¬ 
tant  ability  ourselves.  Because  the  actions  available  to  the 
penetrator  are  independent  of  any  particular  protocol,  we 
can  prove  bounds  on  the  penetrator  that  are  also  protocol- 
independent.  In  particular,  we  often  show  that  a  set  of  terms 
is  honest: 

Definition  2.9  A  set  I  C  A  is  honest  relative  to  a  bundle  C 
if  and  only  if  whenever  a  penetrator  node  p  is  an  entry  point 
for  I,  p  is  an  M  node  or  a  K  node. 

In  other  words,  a  set  is  honest  if  elements  of  that  set  can¬ 
not  be  synthesized  by  the  penetrator.  They  can  be  guessed — 
by  way  of  a  lucky  M  node  or  K  node — but  the  penetrator 
cannot  deduce  them  via  a  sequence  of  decryptions,  encryp¬ 
tions,  concatenations,  or  separations. 

In  applications,  honest  sets  are  usually  taken  to  be  sets 
of  a  particular  form,  called  ideals: 

Definition  2.10  If  k  C  K,  a  k  -ideal  of  A  is  any  set  I  C  A 
such  that  for  all  h  €  I,  g  £  A  and  K  £  k 

1.  hg,gh  e  I. 

2.  {h}K  G  I. 

The  smallest  k-ideal  containing  h  is  denoted  Ik  [ft-].  If  S  C 
A,  ik[S]  is  the  smallest  k-ideal  containing  S. 

Our  main  theorem  interrelates  the  structure  of  ideals  with 
the  property  of  honesty: 

Theorem  2.11  Suppose  C  is  a  bundle  over  A;  S  C  T  U  K; 
k  C  K;  and  K  C  S  U  k-1.  Then  /k[5]  is  honest. 


Intuitively,  the  set  S  usually  contains  some  number  of 
secrets.  The  set  k  usually  contains  keys  which  should  be 
considered  insecure.  Hence,  the  ideal  7k  [S']  would  represent 
all  terms  where  a  secret  occurs  in  a  vulnerable  position,  i.e. 
encrypted  only  with  insecure  keys.  In  this  case,  the  theorem 
states  that  under  certain  weak  conditions  the  penetrator  will 
be  unable  to  synthesize  elements  of  the  ideal.  Hence,  if  le¬ 
gitimate  principals  never  utter  an  element  of  the  ideal,  then 
the  penetrator  is  unable  to  synthesize  them: 

Corollary  2.12  Suppose  C  is  a  bundle,  K  =  S  U  k-1  and 
S  n  Kp  =  0.  If  no  regular  node  n  G  C  is  an  entry  point  for 
Jk[S],  then  no  node  in  C  is  in  /k[S]. 

Contrapositively,  if  the  penetrator  can  deduce  an  ele¬ 
ment  of  the  ideal,  then  some  legitimate  principal  must  have 
slipped  and  let  an  element  loose: 

Corollary  2.13  Suppose  C  is  a  bundle,  K  =  S  U  k-1  and 
S  l~l  Kp  =  0.  If  there  exists  a  node  m  £  C  such  that  m  is  in 
/k[5],  then  there  exists  a  regular  node  n  €  C  such  that  n  is 
an  entry  point  for  Ik  [5]. 

(Note  that  these  are  facts  about  honest  sets  in  general 
applied  to  ideals  in  particular.) 

Suppose  a  key  can  be  proven  secret  by  the  above  theo¬ 
rem.  Then  the  penetrator  is  also  unable  to  create  any  terms 
that  are  encrypted  with  that  key: 

Theorem  2.14  Suppose  C  is  a  bundle;  K  =  S  U  k-1;  S  FI 
Kp  =  0/  and  no  regular  node  €  C  is  an  entry  point  for 
Jk[S].  Then  any  term  of  the  form  {g}n  for  A  €  S  does  not 
originate  on  a  penetrator  strand. 

These  bounds  are  usually  used  in  the  following  way: 
Suppose  that  one  wishes  to  prove  a  correctness  condition 
about  a  protocol.  First,  one  forms  a  bundle  that  reflects  the 
assumptions  of  the  condition  in  question.  Then  the  pene¬ 
trator  bounds  can  be  used  to  prove  that  some  other  prop¬ 
erty  about  the  bundle — the  conclusion  of  the  correctness 
condition — must  follow. 

For  example,  authentication  conditions  usually  state  that 
if  a  principal  engages  in  one  side  of  a  protocol,  then  some 
other  principal  must  have  engaged  in  the  other  side  of  the 
protocol.  In  our  model,  local  views  of  a  protocol  run  are 
represented  by  regular  strands,  and  global  views  of  a  pro¬ 
tocol  run  are  represented  by  bundles.  The  authentication 
condition  then  states  that  if  a  bundle  contains  one  particular 
regular  strand,  then  it  must  contain  another  regular  strand  of 
a  certain  form. 

Secrecy  conditions  are  more  subtle.  Because  the  pene¬ 
trator  is  able  to  say  anything  that  it  can  deduce,  secrecy  of 
a  term  is  shown  by  proving  that  it  is  “unsayable.”  In  partic¬ 
ular,  it  is  shown  that  no  regular  strand  contains  entry  points 
to  an  honest  set  that  contains  the  secret.  Because  the  set  is 


honest,  no  penetrator  strand  can  contain  an  entry  point  ei¬ 
ther.  Hence,  no  strand  in  the  bundle  is  an  entry  point  to  the 
honest  set,  and  therefore  no  node  is  in  the  set  at  all.  Hence, 
the  set — and  in  particular,  the  secret — cannot  be  said. 

3  Multi-Protocol  Strand  Spaces 

We  use  exactly  the  same  notion  of  strand  space  [13,  12, 
14].  In  the  case  of  mixed  protocol  environments,  however, 
the  regular  strands  may  be  those  of  more  than  one  proto¬ 
col.  We  identify  one  particular  protocol  for  analysis  and 
distinguish  the  strands  of  that  protocol  from  all  other  regu¬ 
lar  strands: 

Definition  3.1  A  mixed  strand  space  is  a  strand  space  in 
which  a  subset  of  the  regular  strands  is  distinguished.  We 
refer  to  elements  in  this  set  as  primary  strands.  The  regular 
strands  which  are  not  primary  strands  are  called  secondary 
strands.  A  node  is  a  primary  or  a  secondary  node  iff  it  is  on 
a  primary  or  a  secondary  strand. 

The  intended  interpretation  of  secondary  strands  is  that  they 
correspond  to  runs  of  other  protocols. 

When  a  strand  space  mixes  protocols,  it  is  typically  cru¬ 
cial  to  correctness  to  ensure  that  no  secondary  strand  origi¬ 
nates  values  of  some  particular  form. 

Definition  3.2  A  set  I  C  A  is  unserved  in  a  strand  space  T, 
if  no  entry  point  for  I  is  on  a  secondary  strand  in  £. 

A  set  I  C  A  is  strongly  unserved  in  a  strand  space  £ 
if  for  every  t  €  I,  t  does  not  originate  on  any  secondary 
strand  in  £. 

In  other  words,  if  a  set  is  unserved,  then  no  “original” 
instances  of  a  set  will  occur  on  secondary  strands.  They 
may  hear  one  element  of  the  unserved  set  and  then  speak 
another  element,  but  they  may  not  utter  any  element  of  the 
set  without  hearing  an  element  first. 

The  strongly  unserved  condition  is  the  same  in  form  as 
the  unserved  condition,  but  is  strengthened  from  the  set 
level  to  the  term  level.  Whereas  secondary  strands  can  only 
speak  an  element  of  an  unserved  set  after  hearing  any  other 
element,  they  can  speak  a  value  in  a  strongly  unserved  set — 
even  as  a  subterm  of  a  larger  message — only  after  receiv¬ 
ing  that  same  exact  value  as  a  component  of  some  previous 
message. 

4  Mixing  Otway-Rees 

In  this  section,  we  review  the  Otway-Rees  Protocol  de¬ 
scribed  and  analyzed  in  [12],  of  which  a  normal  run  is  sum¬ 
marized  in  Figure  2.  As  in  [12],  assume  the  following: 

•  A  set  T name  C  T  of  names. 


Mi  =  M  AB  {Na  M  AB}Kas 
M2=MAB{NaM  AB}Kas  {IV6  M  AB}Kbs 
M3  =  M  {NaKAB}KAS  {Nb  Kab}kbs 
M4=M{NaKAB}KAS 

Figure  2.  Message  Exchange  in  Otway-Rees 

•  A  mapping  K  :  Tname  — ►  K.  This  is  intended  to  denote 
the  mapping  which  associates  to  each  principal  the  key 
it  shares  with  the  server.  In  the  literature  on  this  pro¬ 
tocol  this  mapping  is  usually  written  using  subscripts 

K(A)=KAs- 

We  assume  the  mapping  A  M-  Kas  is  injective.  We 
also  assume  Kas  =  Kf  i.e.  that  the  protocol  is 
using  symmetric  cryptography. 

Let  L  be  the  set  of  long-term  keys,  i.e.  the  range  of  K. 

We  will  adopt  some  conventions  on  variables  for  the  re¬ 
mainder  of  this  section: 

•  Variables  A,  B.  C,  X  range  over  Tname; 

•  Variables  K.  K'  range  over  K: 

•  Variables  N,M  (or  the  same  letters  decorated  with 
subscripts)  range  over  T  \  Tname,  i.e.  those  texts  that 
are  not  names. 

Other  letters  such  as  G  and  H  range  over  all  of  A.  We 
would  emphasize  that  Na  is  just  a  variable,  having  no  reli¬ 
able  connection  to  A ,  whereas  Kas  is  the  result  of  applying 
the  function  K  to  the  argument  A.  Thus,  the  latter  reliably 
refers  to  the  long-term  key  shared  between  A  and  S. 

4.1  Otway-Rees  Formalized 

The  primary  strands  for  an  Otway-Rees  strand  space  may 
be  read  off  Figure  2.  There  are  only  two  fine  points.  First, 
we  assume  that  the  respondent  never  picks  a  nonce  Nb  that 
happens  to  be  the  same  as  the  initiator’s  nonce  Na.  The  re¬ 
spondent  cannot  enforce  this  directly,  because  Na  occurs 


encrypted  with  the  initiator’s  long  term  key;  instead,  we 
assume  that  a  probabilistic  mechanism  enforces  it  (cf.  [12, 
Section  5]).  Second,  we  assume  that  the  server  always  se¬ 
lects  a  session  key  with  three  properties:  it  is  a  symmetric 
key;  it  is  unknown  to  the  penetrator;  and  it  is  different  from 
any  long-term  key.  The  server  presumably  relies  on  proba¬ 
bilistic  mechanisms  to  ensure  that  the  last  two  of  these  con¬ 
ditions  are  met. 

Definition  4.1  Let  E  be  a  strand  space. 

1.  Init[_4,  B ,  N,  M,  K]  is  the  set  of  strands  s  E  S  whose 
trace  is 

{ +MAB{NMAB}Kas ,  —  M  {N K}Kas) 

T>jnit  is  the  union  of  the  range  of  Init. 

2.  Resp  [A,  B,  N,  M,  K,  H ,  H']  is  defined  when  N  H; 
its  value  then  is  the  set  of  strands  in  E  whose  trace  is 

(-  MABH , 

+  M  ABH  {NM  A B}Kbs  , 

-  MH'{NK}Kbs, 

+  MH ') 

E resp  is  the  union  of  the  range  of  Resp. 

3.  Serv  [A,  B,  Na ,  Nb,  M,  K]  is  defined  if  K  <£  Kv,  K  0 
{Kas  ■  A  E  Tname }  and  K  =  K~ 1 ;  its  value  then  is 
the  set  of  strands  in  S  whose  trace  is: 

{  -  MAB{NaM  A B}Kas  {Nb  M  AB}Kbs  , 

+  M  {Na  K}Kas  {NbK}KBS) 

E serv  is  the  union  of  the  range  of  Serv. 

Note  that  the  sets  Sserv,  Emit)  EreSp  are  pairwise  disjoint 
(cf  [12],  Lemma  5.2). 

For  the  rest  of  this  example,  we  will  assume  that  the  pri¬ 
mary  strands  are  the  elements  of  Eserv  U  Ejnit  U  EreSp  and 
that  the  secondary  strands  are  strands  of  other,  unspecified 
protocols. 

Definition  4.2  Let  L0  C  L. 

•  Ticket(Lo)  =  the  set  of  all  terms  of  the  form  {N  K'}k 
for  N  E  T  \  T name,  K'  E  K,  and  K  E  L0. 

•  Request(Lo)  =  the  set  of  all  terms  of  the  form 
{TV  M  A  for  N ,  M  E  T  \  T name,  A.  B  E  T name, 
and  K  E  Lo- 

•  /(L0)  =  ik[L0],  where  k  =  (K  \  L0). 

An  Otway-Rees  strand  space  S  respects  a  set  U  of  princi¬ 
pals  if  letting  Lo  =  K(U)  be  the  image  ofU  under  the  “key 
of”  mapping  K: 


1.  Lo  FI  K-p  =  0; 

2.  /(Lo)  is  unser\’ed  in  S; 

3.  Ticket(Lo)  and  Request(Lo)  are  strongly  unsen’ed  in 
S. 

Otway-Rees  remains  correct  in  a  mixed  protocol  envi¬ 
ronment  E,  for  a  collection  of  users  U,  if  E  respects  U .  In 
this  paper  we  will  concentrate  on  a  single  aspect  of  the  cor¬ 
rectness  of  Otway-Rees,  namely  the  authentication  guaran¬ 
tee  that  Otway-Rees  provides  to  its  initiator.  However,  the 
secrecy  property  of  Otway-Rees  [12,  Section  6]  and  the  au¬ 
thentication  guarantees  it  offers  to  the  other  participants  [12, 
Section  7.2]  may  be  modified  in  an  equally  straightforward 
way  using  the  same  assumptions  on  S. 

4.2  Mixed  Otway-Rees:  Authentication 

In  this  subsection  we  will  prove  the  authentication  guar¬ 
antee  that  Otway-Rees  provides  to  its  initiator.  The  proofs 
are  minor  modifications  of  the  proofs  given  in  [12]. 

4.2.1  Preliminaries 

We  first  need  a  pair  of  small  lemmas.  The  first  is  specific 
to  the  case  of  mixed  protocols;  the  second  matches  a  result 
given  in  [12]. 

Proposition  4.3  Consider  a  bundle  C  in  S.  Suppose  Lo  C 
L  is  such  that  Lo  O  K-p  =  0  and  /(Lo)  is  unserved  in  S. 
Then  no  term  of  the  form  {g}n  for  K  E  Lo  can  originate 
on  a  penetrator  node  in  C. 

PROOF.  To  apply  Corollary  2.14,  with  S  =  L0  and  k  =  K  \ 
Lo,  we  must  check  that  no  regular  node  n  is  an  entry  point 
for  Iy  [5]  =  /(Lo).  By  hypothesis,  n  cannot  be  a  secondary 
node,  n  is  thus  a  primary  node.  However,  if  n  is  primary, 
no  long-term  key  can  occur  as  a  subterm  of  term(n),  unless 
it  occurs  within  the  H- term  of  a  responder  strand.  But  in 
this  case  n  is  not  an  entry  point  for  /(Lo).  ■ 

We  also  need  a  case  analysis  for  the  locations  at  which  a 
term  in  Ticket(Lo)  or  Request(Lo)  can  originate,  assuming 
that  they  are  originating  on  a  primary  strand.  The  proof 
matches  that  of  [12,  Proposition  7.2  and  Corollary  7.3]. 

Proposition  4.4  Let  s  be  a  primary  strand  o/S. 

1.  Suppose  t  =  {N  K}kXs  originates  on 

s.  Then  t  and  K  originate  on  ( s ,  2),  and 
either  s  E  Ser  v[A,X,N,N',M,K]  or 

s  E  Serv[JV,  B,  N N,  M ,  K\for  some  A,  B.  TV',  M. 

2.  Suppose  t  =  {N  M  A  B}kas  originates  on  s,  and 
with  A  B.  Then  t  and  N  originate  on  (s,  1),  and 
s  E  Init[.4,  B ,  N,  M,  K]  for  some  K. 


3.  Suppose  t  =  {N M  AB}kbs  originates  on  s,  with 
A  7^  B.  Then  t  and  N  originate  on  (s,  2),  and  s  £ 
Resp[A,  B,  N,  M,  K ,  H ,  H'],for  some  K,  H,  and  H'. 

4.2.2  Initiator’s  Guarantee 

The  following  theorem  asserts  that  if  a  bundle  contains  a 
strand  s  £  Sjnjt,  then  under  the  expected  assumptions,  there 
are  primary  strands  sreSp  G  Sresp  and  sserv  G  Eserv  which 
agree  on  the  initiator,  responder,  and  M  values. 

Theorem  4.5  Suppose  S  respects  JJ  and  A,  B  £  U.  Sup¬ 
pose  C  is  a  bundle  in  E;  A  -f  B;  and  Na  is  uniquely  origi¬ 
nating  in  C. 

If  s  £  Init[A,B,Na,M,K\  has  C -height  2,  then  for 
some  Nb  £  T  there  are  primary  strands: 

•  Sserv  G  Serv[A,  B,  Na,  Nb,  M,  K]  of  C-height  2; 

•  sresp  £  Resp[A,B,Nb,M,K,H,H']  of  C-height  at 
least  2,  for  some  K,  H,  and  H' . 

PROOF.  The  proof  of  this  is  similar  to  the  proof  of  the  initia¬ 
tor’s  guarantee  for  the  unmixed  Otway-Rees  protocol.  The 
novelty  in  this  case  is  that  we  need  to  establish  that  a  certain 
term  originates  on  a  primary  node,  whereas  in  the  unmixed 
case  it  was  sufficient  to  prove  the  term  originated  on  a  reg¬ 
ular  node.  We  will  prove  this  by  a  sequence  of  steps.  For 
the  remainder  of  this  section,  fix  E,  U,  C  and  s  such  that  the 
assumptions  hold.  In  particular,  by  the  last  assumption  of 
the  theorem, 

<  +  M  AB{NaM  AB}Kas, 

-  M  {Na  K}Kas) 

is  the  C- trace  of  a  strand  s. 

Step  1  There  is  an  sserv  £  Esen,  with  C-height  2;  sser\’  is 
either  of  the  form  Serv[.4,  X,  Na.  Nb,  Mi ,  K ]  or  of  the  form 
Serv[X,  A,  Nb,  Na,  M±,K], 

Proof.  We  will  apply  Proposition  4.3  with  L0  = 
K{U),  using  Definition  4.2,  Clauses  1  and  2;  it  follows 
{Na  K\  Kas  does  not  originate  on  a  penetrator  node  in  C. 
Because  {Na  K}kas  C  Ticket(Lo)  and  S  respects  U,  by 
Definition  4.2,  Clause  3,  it  must  originate  on  a  primary 
strand;  the  node  at  which  it  originates  is  in  C.  By  Proposi¬ 
tion  4.4  Clause  1,  this  node  is  (sserv,  2)  where  sserv  satisfies 
one  of  the  conditions: 

1  •  Sserv  G  Serv[A,X,Na,Nb,M1,K\,oi 

2.  Sserv  G  Ser y[X,A,Nb,Na,M1}K].U 

Fix  sServ  G  Sserv,  X,  and  Mi  satisfying  the  conditions 
given  in  Step  1 . 


Step  2  sSen’  G  Serv[A,  X,  Na,  Nb,  Mi,  K], 

PROOF.  Suppose — in  order  to  derive  a  contradiction — that 
Sserv  G  Serv[X,  A,  Nb,  Na,  Mi,  K]  holds  instead.  Then 
{Na  Mi  X  A}kas  is  a  subterm  of  term({sServ,  1)). 

By  Proposition  4.3  with  L0  =  K{U)  again,  using  Def¬ 
inition  4.2,  Clauses  1  and  2,  {Na  Mi  A X}kas  originates 
on  a  regular  strand  s±. 

Using  Clause  3  { Na  Mi  X  A}kas  originates  on  a  pri¬ 
mary  strand  si,  and  by  Proposition  4.4,  Na  originates  on 
the  same  strand  si- 

But  Na  also  originates  on  the  strand  we  began  with,  s  G 
Init[,4.  B,  Na,  M,  K].  Because  Na  originates  uniquely,  s  = 
si.  Hence  by  Proposition  4.4,  X  =  A  =  B,  contradicting 
an  assumption.  ■ 

Step  3  X  =  B  and  Mi  =  M. 

Proof.  Since  sserv  G  Serv[A,X,Na,Ni,,Mi,K], 
{NaMiAX}KAS  C  term({sServ,  1))-  By  Proposition  4.3 
with  Lo  =  K{U)  again,  using  Definition  4.2,  Clause  1, 
{NaMi  AX}kas  originates  on  a  regular  strand  .s j .  Us¬ 
ing  Definition  4.2,  Clause  3,  is  a  primary  strand.  By 
Proposition  4.4,  Na  originates  on  the  same  strand  *  i . 

But  Na  also  originates  on  s.  Because  Na  originates 
uniquely,  .s  =  .s  i .  Thus  Mi  =  M  and  X  =  B,  and 
Sserv  G  Serv[,4,  B,  Na,  Nb,  M,  K],  ■ 

Step  4  For  some  if,  1 1 .  and  H  ,  there  is  a  strand  Sresp  G 
Resp[.4,  B,  Nb,  M,  K,  H,  H']  of  C-height  at  least  2. 

PROOF.  We  again  use  Proposition  4.3  and  Definition  4.2, 
Clause  3  to  infer  that  {Nb  M  A  B) KlJS  originates  on  a  pri¬ 
mary  node  in  C.  By  Proposition  4.4,  this  node  is  the  second 
on  a  strand  .sreSp  G  Resp[,4.  B,  Nb ,  M,  K,  H,  IB]  for  some 
K ,  II.  and  TI' .  Since  (sresp,2)  G  C,  it  follows  .sreSp  has 
C-height  at  least  2.  ■ 

5  Neuman-Stubblebine 

An  important  kind  of  multiple-protocol  environment  are 
single  protocols  that  contain  multiple  parts.  Examples 
of  such  protocols — such  as  Kerberos  [6],  for  example — 
are  currently  in  widespread  use.  In  this  paper,  we  will 
demonstrate  the  analysis  of  such  protocols  on  the  Neuman- 
Stubblebine  protocol  [9]. 

The  general  structural  elements  needed  to  describe  the 
protocol  are  very  similar  to  those  of  Otway-Rees.  In  partic¬ 
ular,  we  assume  given  an  injective  mapping  K  :  Tname  — > 
K  which  associates  to  each  name  a  symmetric  long  term  key 
shared  with  a  central  server,  and  the  set  L  of  all  long  term 
keys  defined  to  be  the  range  of  K.  For  K  £  L,  K =  K. 


Mi  =  A  Na 

M2  =  B  {ANa  tb\ kBs  Nb 

Ms  =  {B  NaK  U}kas  {AKtb}KBS  Nb 

M4  =  {AK tb}KBS  {Nb}K 

Figure  3.  Message  Exchange  in  Neuman- 
Stubblebine 


5.1  The  Neuman-Stubblebine  Protocol,  Part  I 

The  Neuman-Stubblebine  protocol  starts  with  an  initial 
authentication  protocol,  summarized  in  Figure  3. 

In  this  protocol,  IT  is  a  unique  key  generated  by  the  Key 
Distribution  Center  S,  and  tb  is  an  expiration  time  for  the 
ticket  {A  K  tb}KBS  ■  (We  do  not  consider  the  issues  of  time 
and  timestamps  in  our  analysis.) 

First,  we  define  the  primary  strands  to  correspond  to  the 
three  roles  of  the  protocol: 

Definition  5.1  Let  X  be  a  strand  space. 

1.  In  it  [A  B ,  Na,  Nb,tb,  K,  H]  is  the  set  of  strands  s  £  S 
of  the  form: 

( +  ANa, 

~{BNaKtb}KASHNb, 

+  H{Nb}K ) 

X  jnjt  is  the  union  of  the  range  of  Init. 

2.  Resp[A,  B ,  Na,  Nb ,  tb,  K]  is  the  set  of  strands  in  X  of 
the  form: 

( -ANa , 

+  B  {ANa  U}kBs  Nb, 

-  {AK tb}KBS  {Wftjjf) 

X resp  is  the  union  of  the  range  o/Resp. 


5.  Serv[A,B,Na,Nb,tb,K]  is  defined  if  K  £  K-p  U  L 
and  K  =  K -1;  its  value  then  is  the  set  of  strands  in  X 
of  the  form: 

{  ~  B  {ANa  tb}KBS  Nb, 

+  {B  NaK  {AKtb}KBs  Nb) 

Xiery  is  the  union  of  the  range  of  Serv. 

A  NS  space  is  a  strand  space  in  which  the  primary  strands 
are  those  in  X  ntii -  X  t'csj, .  or  X  . 

We  will  not  show  that  this  protocol  is  correct  in  all  re¬ 
spects.  We  use  the  Neuman-Stubblebine  protocol  as  an  il¬ 
lustrative  example  only,  and  so  will  instead  focus  on  just 
one  property:  the  authentication  of  initiator  to  responder. 

The  security  of  the  Neuman-Stubblebine  authentication 
protocol  depends  upon  three  types  of  terms: 

1.  Tickets,  which  are  terms  of  the  form  {AK tb}i<Bs- 
Tickets  are  how  the  secret  key  is  distributed  to  the  re¬ 
sponder. 

2.  Distributions,  or  terms  of  the  form  {B  Na  K  tb}icAS  ■ 
The  secret  key  is  distributed  to  the  initiator  in  terms  of 
this  form. 

3.  Confirmations,  or  terms  of  the  form  {Nb}K ■  The  ini¬ 
tiator  finishes  the  protocol  by  sending  a  confirmation 
to  the  responder. 

We  focus  on  the  tickets,  distributions,  and  confirmations 
built  using  actual  long  term  keys  and  session  keys;  since  we 
do  not  in  general  know  what  values  these  are,  they  appear 
in  the  definition  as  the  parameters  Lo  and  So-  As  we  use  this 
definition,  ko  =  Lo  U  So- 

Definition  5.2  Let  ko  C  K,  Lo  C  L  and  So  C  K  \  L: 

1.  Ticket(Lo)  =  the  set  of  all  terms  of  the  form 
{X  Ktx}K’  for  X  €  T name,  K1  G  L0,  K  £  K,  and 

tx  G  T  \  A  name- 

2.  Distribute(Lo,  So)  =  the  set  of  all  terms  of  the  form 

{X  N  K  tx}K’  for  X  name >  N,tx  G  T  \  T name > 

K 1  G  Lq>  and  K  G  So* 

3.  Confirm  (So)  =  the  set  of  all  terms  of  the  form  {iV}K 
for  N  G  T  \  T name,  and  K  G  So- 

4.  7(k0)  =  /k[k0],  where  k  =  (K  \  k0). 

5.  SK(U)  =  the  set  of  K  such  that  in  X 

3.4,  B  G  U  .  Serv[A,  B ,  *,  *,  *.  K]  ^  0 


Clauses  1  though  3  formalize  the  terms  of  interest.  Clause  4 
is  simply  a  notational  convenience.  Clause  5,  on  the  other 
hand,  allows  us  to  define  a  particular  set  of  keys.  If  we  wish 
to  prove  a  correctness  condition  about  some  arbitrary  set  U 
of  principals,  we  not  only  need  to  consider  their  long  term 
keys  but  also  the  secret  keys  SK(t/)  distributed  to  any  two 
principals  in  U,  as  defined  in  clause  5. 

Definition  5.3  An  NS  strand  space  X  respects  a  set  of  prin¬ 
cipals  U,  if,  letting  Lo  =  K(U)  and  So  =  SK (U): 

1.  (Lo  U  So)  n  K -p  =  0; 

2.  /(Lo  U  So)  is  unserved  in  X; 

3.  Ticket(Lo)  U  Distribute(L0,  S0)  U  Confirm(S0)  is 
strongly  unserved  in  X. 

Intuitively,  a  strand  space  respects  a  set  of  principals  if 
it  does  not  interfere  with  the  way  the  Neuman-Stubblebine 
protocol  uses  long  term  keys,  session  keys,  tickets,  distri¬ 
butions  and  confirmations  among  members  of  that  set.  The 
long  term  keys  and  session  keys  for  those  principals  must  be 
uncompromised  (Clause  1).  Secondary  strands  cannot  place 
any  of  the  above  keys  in  vulnerable  positions  (Clause  2). 
Lastly,  the  tickets,  distributions,  and  confirmations  relevant 
to  the  principals  of  interest  cannot  come  from  secondary 
strands  (Clause  3).  We  do  not  prohibit  secondary  strands 
from  making  terms  of  those  three  forms,  only  from  making 
term  of  those  forms  with  values  that  might  interfere  with 
those  of  these  principals.  For  instance,  terms  of  the  same 
forms  could  safely  be  constructed  using  a  disjoint  set  of 
long  term  keys. 

Before  we  examine  the  authentication  property  of  inter¬ 
est,  we  apply  Theorems  2.12  and  2.14  to  show  two  prelim¬ 
inary  lemmas:  secrecy  of  keys,  and  non-synthesis  of  en¬ 
crypted  terms. 

Fix  a  set  of  principals  U,  a  NS  space  X,  and  a  bundle  C. 
Let  L0  =  K{U)  and  S0  =  SK ([/). 

Lemma  5.4  Suppose  A ,  B  G  U,  X  respects  U,  and  K  is 
uniquely  originating.  Let  ssen,  G  Serv[A,  B,  *,*,*,  K\  be 
in  C.  For  every  node  m  G  C,  m  £  I({K,  Kas ,  Kbs })• 

Proof.  Let  ko  =  {K,  Kas,  Kbs}-  By  Corollary  2.12 
with  S  =  ko  and  k  =  K  \  ko,  it  is  sufficient  to  show  that 
no  regular  node  is  an  entry  point  to  /(ko).  Because  /(ko) 
is  unserved,  any  regular  node  which  is  an  entry  point  to  the 
ideal  must  be  a  primary  node. 

By  inspection,  no  term  containing  a  key  originates  on 
any  strand  in  X jn|t  or  XreSp-  However,  if  s'  G  Xserv  then 
a  key  originates  on  node  (s',  2).  So  suppose  that  (s',  2)  is 
an  entry  point  to  /(ko).  Then  K  C  (s' ,  2),  and  since  Kas, 
Kbs  [t  (s',2),K  originates  on  s' . 

Since  K  is  uniquely  originating,  and  it  originates  on  sserv 
as  well  as  s',  s'  =  sserv.  Moreover,  K  does  not  occur  in 


(s,  2)  unencrypted  or  encrypted  with  anything  but  Kas  °r 
Kbs-  Hence  s'  does  not  contain  an  entry  point  into  /(ko), 
and  so  no  primary  strand  is  an  entry  point  to  /(ko).  ■ 

Lemma  5.5  Suppose  X  respects  U.  Then  no  term  of  the 
form  {g}K  far  K  G  Lo  can  originate  on  a  penetrator  node 
in  C. 

PROOF.  (Similar  to  that  of  Proposition  4.3)  Apply  Corol¬ 
lary  2.14  with  S  =  Lo  and  k  =  K  \  Lo,  and  confirm  that  no 
regular  node  is  an  entry  point  for  /(Lo):  Let  n  be  a  regular 
entry  point  for /(Lo).  Since/(Lo)  C  /(Lo  U  So)  is  unserved 
in  X,  n  is  not  a  secondary  node.  By  observation,  n  is  not  a 
primary  node.  ■ 

We  can  now  prove  the  authentication  condition  under 
consideration: 

Theorem  5.6  Suppose  X  respects  TJ;  A.  B  G  U;  and  K 
is  uniquely  originating.  Suppose  C  is  a  bundle  in  X,  and 
si  G  Resp[A,  B,  Na,Nb,tb,  K]  has  C-height  3. 

Then  some  S3  G  Init[,4,  B,  *,  Nb,  U,  K]  has  C-height  3. 

We  prove  this  property  by  a  series  of  intermediate  steps. 
For  those  who  are  uninterested  in  the  details,  the  statements 
of  each  step  provide  a  sketch  of  the  proof. 

Step  1  There  is  an  S2  G  Serv[.4,  B,*,*,  tb,  K]  with  C- 
height  2. 

Proof.  {AKtb}KBs  L  (si,3).  By  Proposition  5.5, 
{.4  K  tb} Kbs  originates  on  a  regular  node  in  C.  Because 
{AK  tb}KBs  ^  Ticket(Lo),  that  regular  node  is  a  pri¬ 
mary  node  n.  By  inspection,  n  =  (s%,2)  where  s-2  G 
Serv[A  B,  *,  *,  tb,  K], 

Step  2  There  is  an  s 3  G  Init[A',  Y,  Nx,  Nb,  ty,K ]  with  C- 
height  3. 

PROOF.  By  Step  1,  K  G  So-  By  Proposition  5.4  and 
Corollary  2.14,  no  term  of  the  form  {g}  k  originates  on 
a  penetrator  strand.  Hence,  { Nb}x ,  which  is  a  subterm 
of  (si,3),  originates  on  a  regular  node  n'  G  C..  Because 
{Nb}K  €  Confirm(So),  n'  is  a  primary  node.  By  inspec¬ 
tion,  n'  =  (S3, 3)  where  s3  G  Init[A",  Y,  Nx,  Nb,  ty,K ]  for 
some  X,  Y,  Nx ,  ty . 

Step  3  There  is  an  s 4  G  Ser v[X,Y,*,Nb,ty,K]  with  C- 
height  2. 

Proof.  Letting  t  =  {Y  Nb  K  ty} kxs,  we  see  that  t  c 
(S2, 2).  If  KXs  0  L0,  then  t  G  /( L0  U  S0),  contradict¬ 
ing  Proposition  5.4.  By  Proposition  5.5,  t  originates  on  a 
regular  node  n";  because  t  G  Distribute^,  So),  n"  is  a 
primary  node. 

Inspecting  the  primary  strands,  we  see  that  n"  =  (54, 2) 
where  S4  G  Serv[Af,  Y,  *,  Nb,  ty,  K\. 


Step  4  s2  =  s 4 

PROOF.  K  is  uniquely  originating,  and  originates  on  both 
s2  and  S4. 

Step  5  S3  €  Init[A,  B ,  *,  Nb,  tb ,  A']  and  S3  /za.s  C-height  3. 

Proof.  Since  S2  €  Serv[,4.  B ,  *,  iVj,  tb,  K],  X  =  A,  Y  = 
B ,  and  ty  =  tb-  In  that  case,  S3  =  Init[A  B,  *,  Nb,U,  K], 
and  it  is  already  established  that  S3  has  C-height  3.H 

In  other  words,  if  the  responder  B  finishes  a  run  of  the 
protocol  apparently  with  A ,  then  under  the  conditions  given, 
A  will  have  finished  a  run  with  B. 

5.2  Part  II  (Re-Authentication) 

Like  Kerberos,  this  protocol  is  designed  to  secure  other 
protocols  in  which  the  responder  B — which  typically  pro¬ 
vides  some  networked  service — responds  to  requests  from 
A  but  keeps  no  state  itself.  In  such  a  case,  A  may  need  to  is¬ 
sue  several  requests  to  B  and  so  must  re-authenticate  itself 
each  time.  To  that  end  the  Neuman-Stubblebine  protocol 
has  a  re-authentication  part,  in  which  A  reuses  the  ticket 
issued  to  it  in  the  initial  protocol: 

Hi  A  — »  B  :  N'a{AKtb}KBs 

n2  B^A:  {N'a}K  N'b 

D3  A^B:  {N'b}K 

This  re-authentication  protocol  is  known  to  be  flawed  on 
its  own  [4],  However,  it  also  introduces  a  potential  attack 
on  the  initial  authentication  protocol  as  well.  If  B  keeps 
no  state — more  specifically,  if  B  does  not  track  successful 
runs  of  the  authentication  part  of  the  protocol — then  the  fol¬ 
lowing  attack  can  be  accomplished  by  starting  a  run  of  the 
re-authentication  protocol  with  B  before  the  initial  protocol 
has  finished: 

1.  Z(A)  B  :  ANa 

2 .  B-+S:  B{ANatb}KBSNb 

3.  S^Z(A):  {BNaKtb}KAS{AKtb}KBSNb 

Hi  Z(A)  ->B  :  Nb{AKtb}KBs 

n2  B^Z(A)  :  {Nb}KN'b 

4.  Z(A)  B  :  {AK tb}KBS{Nb}K 

The  attack  is  possible  because  a  term  in  Confirm(So) 
can  now  originate  on  a  secondary  strand  (from  the  re¬ 
authentication  part  of  the  protocol).  This  attack  does  not 
seem  to  be  known  in  the  literature.  However,  it  is  a  pure 
authentication  attack;  no  session  keys  (for  instance)  are  di¬ 
vulged. 

A  variant  of  the  re-authentication  part,  however,  satisfies 
the  conditions  of  Lemmas  5.4,  5.5,  and  Theorem  5.6. 


Hi  A^B:  N'a{AKtb}KBS 
n2  B  A:  {N'a  N'b}K 
II'  A^B:  {AN'b}K 

To  formalize  II',  we  add  a  “phantom”  starting  message 
in  which  the  initiator  receives  a  copy  of  message  3  from  a 
run  of  protocol  I.  This  serves  merely  to  represent  the  state  in 
which  a  principal  stores  the  results  of  a  run  of  I,  until  ready 
to  begin  a  run  of  II'. 

Definition  5.7  Let  E  be  a  strand  space. 

1.  Relnti[A,B,N'a,N'b,tb,K,G,H]  is  the  set  of 
strands  in  S  of  the  form: 

(-  {. BNaKtb}KASGH , 

+  N'a  G, 

-  {N'aN'b}K, 

+  {AN'b}K) 

where  Na  6E  T  and  G,H  €  A.  E reinjt  is  the  union  of 
the  range  o/Relnit. 

2.  ReResp[.4,  B,  N'a,  N'b,  tb,  K]  is  the  set  of  strands  in 
S  of  the  form: 

{-  {AKtb}KBSN'a, 

+  {N'a  N'b}K, 

-  {A  N'b}K) 

E  reresp  is  the  union  of  the  range  o/ReResp. 

A  NS+  space  is  an  infiltrated  strand  space  in  which  all  the 
regular  strands  are  in  Yjnit,  S resp>  ser\>>  51 remit >  or  51 reresp ■ 

Observe  that  no  node  on  these  strands  is  an  entry  point 
to  I(L0  U  k0).  Likewise,  Ticket(L0)  U  Distribute(L0,  S0)  U 
Confirm  (So)  is  strongly  unserved  by  these  strands.  Hence, 
we  may  infer  that  the  modified  re-authentication  protocol 
does  not  interfere  with  the  authentication  property  given  in 
Theorem  5.6.  Setting  U  to  be  the  set  containing  A,  B.  for 
instance,  yields: 

Theorem  5.8  Suppose  C  is  a  bundle  in  a  NS+  space,  and 

•  si  €  Resp[A,  B,  N a ,  Nb,  tb,  K]  has  C-height  3; 

•  Kas,  Kbs  cmd  K  f  K-p;  and 

•  K  is  uniquely  originating. 

Then  C  contains  S3  €  Init[,4,  B,  *.  Nb,  tb,  K\  with  C-height 

2. 


6  Discussion 

Cryptographic  protocols  are  intended  to  accomplish  very 
specific  goals  such  as  authentication  or  exchange  of  keys. 
Analysis  of  these  protocols  has  usually  centered  around 
understanding  how  well  the  protocols  achieve  these  stated 
goals  when  executed  in  isolation. 

But  in  fact  cryptographic  protocols  are  never  executed 
in  isolation.  Key  exchange  is  useful  only  if  the  keys  are 
then  used  for  some  further  purpose,  such  as  exchanging  data 
confidentially.  Authentication  is  meaningful  only  if  some 
particular  actions  can  be  performed  by  the  principals,  that 
would  not  have  been  permitted  had  they  not  been  authen¬ 
ticated.  These  further  activities  will  typically  involve  the 
keys  or  secrets  established  by  the  protocol,  so  there  is  a 
risk  that  these  later  activities  will  interfere  with  the  correct¬ 
ness  of  the  base  protocol.  In  many  cases,  the  constraints  of 
practical  use  mean  that  an  “expensive”  protocol  is  best  com¬ 
bined  with  a  “cheaper”  protocol,  as  Kerberos  and  Neumann- 
Stubblebine  combine  one  protocol  that  requires  use  of  a  Key 
Distribution  Center  with  a  cheaper  re -authentication  proto¬ 
col.  Thus,  real  life  is  necessarily  a  case  of  mixed  protocols, 
even  apart  from  the  mixing  of  independently  designed  pro¬ 
tocols  that  may  be  used  for  unrelated  purposes. 

In  this  paper  we  have  developed  the  simple  machinery 
necessary  to  reason  about  this  problem  within  the  strand 
space  framework. 
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